This codebase was entirely generated by Claude (Anthropic). No human authorship is claimed over the generated code.
An enterprise-grade OAuth 2.0 / OpenID Connect authorization server built with C# 13, .NET 10, and PostgreSQL.
Headless and API-first — bring your own login UI. Gatekeeper handles protocol compliance, token lifecycle, MFA, provisioning, and policy enforcement.
OAuth 2.0 / OIDC
- Authorization Code + PKCE, Client Credentials, Device Authorization, CIBA, Token Exchange (RFC 8693)
- Refresh token rotation with automatic revocation on reuse detection
- Dynamic Client Registration (RFC 7591/7592)
- Grant Management API, Pushed Authorization Requests (PAR), JWT-Secured Authorization Requests (JAR)
- FAPI 2.0 compliance profiles
Authentication
- Identifier-first login, passwordless (magic link, email/SMS OTP)
- MFA: TOTP, WebAuthn/Passkeys, SMS OTP, email OTP, backup codes
- Smart card / certificate-based authentication
- Device posture assessment, context-aware access policies
Federation
- External OIDC / OAuth identity providers with automatic account linking
- SAML 2.0 SP and IdP
- WS-Federation, WS-Trust, CAS protocol support
- LDAP directory integration
Provisioning & Directory
- SCIM 2.0 (Users and Groups)
- HRIS integration (Workday, BambooHR)
- Bulk user import/export, user lifecycle management
- Organizations, groups, roles, and fine-grained permissions
Authorization
- UMA 2.0 (User-Managed Access) with resource sets, permission tickets, and claims gathering
- Sandboxed JavaScript policy engine (Jint) with approval workflows
Observability & Security
- Tamper-evident audit logging with HMAC chain integrity
- OpenTelemetry tracing and metrics
- Webhook delivery with retry and dead-letter queue
- Real-time event streaming (SSE)
- Threat intelligence integration, risk scoring
- HIPAA BAA compliance reporting, DSAR data export
Multi-Tenancy & Operations
- Tenant isolation via PostgreSQL schemas
- Signing key management with AES-256-GCM encryption at rest
- Custom domains per organization
- Admin API key authentication for all management operations
- GraphQL admin API (HotChocolate) alongside REST
- CLI tool (
gatekeeper) for common operations
# Clone and start all services
git clone https://github.com/yourorg/gatekeeper.git
cd gatekeeper
docker compose up -d
# Gatekeeper is now running at http://localhost:5000
# Default admin API key: dev-bootstrap-key (change immediately in production)Verify it's running:
curl http://localhost:5000/.well-known/openid-configuration
curl -H "X-Api-Key: dev-bootstrap-key" http://localhost:5000/api/v1/statusAll configuration is via environment variables prefixed with GATEKEEPER__:
| Variable | Required | Description |
|---|---|---|
GATEKEEPER__Database__ConnectionString |
Yes | PostgreSQL connection string |
GATEKEEPER__Redis__ConnectionString |
Yes | Redis connection string |
GATEKEEPER__Security__KeyEncryptionKey |
Yes | 32-byte hex key for signing key encryption at rest |
GATEKEEPER__Admin__BootstrapApiKey |
Yes | Initial admin API key |
See docs/configuration.md for the full reference.
┌─────────────────────────────────────────────────┐
│ Gatekeeper.Server (ASP.NET Core) │
│ Controllers, Middleware, GraphQL, DI │
├─────────────────────────────────────────────────┤
│ Gatekeeper.Infrastructure │
│ EF Core, Redis, Services, Hosted Services │
├─────────────────────────────────────────────────┤
│ Gatekeeper.Core │
│ Interfaces, Models, DTOs, Constants, Events │
│ (zero infrastructure dependencies) │
└─────────────────────────────────────────────────┘
- Core defines all abstractions. Infrastructure implements them. Server wires DI and exposes HTTP.
- Grant handlers are pluggable — each
IGrantHandleris registered bygrant_type. - Multi-tenancy is resolved per-request via
TenantResolutionMiddleware. - All secrets are hashed (Argon2id for client secrets, SHA-256 for tokens). Plaintext is returned once, never stored.
| Group | Base Path | Auth |
|---|---|---|
| OAuth / OIDC | /connect/* |
Public |
| Discovery | /.well-known/* |
Public |
| User Self-Service | /api/v1/me/* |
Bearer token |
| SCIM Provisioning | /scim/v2/* |
Bearer token |
| SAML | /saml/* |
SAML bindings |
| UMA 2.0 | /uma/* |
Bearer token |
| Admin (REST) | /api/v1/* |
X-Api-Key |
| Admin (GraphQL) | /graphql |
X-Api-Key |
| Health | /health |
Public |
Prerequisites: .NET 10 SDK, PostgreSQL 16, Redis 7.
# Restore and build
dotnet build
# Run database migrations
dotnet ef database update \
--project src/Gatekeeper.Infrastructure \
--startup-project src/Gatekeeper.Server
# Run the server
dotnet run --project src/Gatekeeper.Server
# Run tests (requires Docker for Testcontainers)
dotnet test- Fork the repository
- Create a feature branch from
dev - Make your changes (follow existing code conventions — see docs/coding-conventions.md)
- Ensure all tests pass
- Open a pull request against
dev
If you discover a security vulnerability, please report it responsibly. Do not open a public issue. Email [SECURITY_CONTACT] with details and we will respond promptly.
Released under the Zero-Clause BSD (0BSD) license.